Tuesday, May 1, 2012
The Canadians know how to write a law. Here we have laws for phone marketing and we have laws for fax marketing and we have laws for email marketing. The Canadian way does not encompass all forms of marketing, but it should and it is a good start. These days e-mail is almost rendered useless by SPAM.
Here is how the Canadians do it, via ITBusinessEdge online:
"The Canadian government passed CASL in December 2010 to establish a regulatory framework for permission-based marketing, including email marketing, social media marketing, text, and other electronic messaging. This framework will protect electronic commerce in Canada, deter damaging and deceptive forms of spam, such as identity theft, phishing and spyware, and drive out spammers."
Enforcement is the defining issue. We shall see.
Thursday, April 26, 2012
Identifing a Phishing Message
http://www.itbusinessedge.com/slideshows/show.aspx?c=94496&slide=1
Good advice here. If all of these are present in an email you receive, be very suspicious. Italics below are mine... Thomas
Does the email contain information obtainable from social web sites ( Facebook, Twitter, etc. )?
The dizzying amount of information being loaded into social networking sites makes it trivial for an attacker to use them as a source of information to craft a spear phishing message or to gain a victim's trust. With this in mind, private information should always be regarded as belonging to the public domain once they can be found on social networking sites such as Facebook or Twitter. Indeed, a woman in Singapore was arrested recently for allegedly cheating victims of thousands of dollars by masquerading as their cousin. All her information — including their contact number and name of their real-life cousins — was apparently obtained from Facebook accounts.
Is there a web link in the email ?
One predominant objective of hackers entails the loading of malware or Trojans onto their target's PC. Given that executable files are typically blocked in email attachments these days, black hats have evolved their techniques to either trick their victims into downloading the malware over the Internet, or directing them to visit a specially crafted website loaded with a browser exploit. To protect yourself from such scenarios, you should almost never click on a URL link unless it is from a reputable site, and even so you should usually type in the URL manually.
Or get it from your Favorites/Bookmarks if you have it there.
Does the email reference a recent event ?
Major news events such as large-scale catastrophes or the death of celebrities are quickly followed by a wave of phishing messages touting the same news events in their subject lines or email body. No doubt, phishers are hoping that confused or overeager users will let their guard down and click on their proffered URL links in their haste for more information. Hence, be on your guard when you see an email that refers to a current news event.
Also note, who is the email from ?
Does the email have a tone/language a known friend/colleague would use ?
It is trivial for hackers to collect the email addresses and names of colleagues and friends. Larger companies typically publish their staff information on the Internet, while simple social engineering methods could be used to glean details such as the name of one's immediate supervisor or colleagues. The guideline here is to filter such messages based on what we know of the purported senders and how they typically write. Getting a curt "Check out this link" email from a normally verbose coll0eague or a "Nice babes" from a female boss should set alarm bells ringing.
Phishers hijack contacts from online web sites ( Yahoo for example which has been happening quite a bit lately, ) then act like the owner of the contacts, your friend or associate.
Is the email pushing for an immediate response ?
Phishers want their victims to respond immediately, or soon after reading their phishing message. This prevents them from checking with more knowledgeable colleagues, or to otherwise wise up to the trickery. It is for this reason that a message demanding an immediate response deserves a far greater dose of skepticism, and should hence be scrutinized more carefully.
Wednesday, April 11, 2012
Free Apps Kill Smartphone Battery Life
Free Apps Kill Smartphone Battery Life
http://www.cio.com/article/703714/Free_Apps_Kill_Smartphone_Battery_Life?page=1&taxonomyId=3067
Network World — Those free apps like Angry Birds, Instagram and Tiny Wings may be loads of fun, but they suck the battery life out of your smartphone by tracking your geographical location, sending information about you to advertisers and downloading ads.
....
The researchers findings show that 65% to 75% of the energy used to run free apps is spent for advertising-related functions. The free Angry Birds app, for example, was shown to consume about 75% of its power running "advertisement modules" in the software code and only about 25% for actually playing the game. The modules perform marketing functions such as sharing user information and downloading ads, according to the researchers.
....
"A particular source of power inefficiency is a phenomenon called 'tails.' In principle, after an application sends information to the Internet, the 'networking unit' that allows the phone to connect to the Internet should go to a lower power state within a fraction of a second. However, researchers found that after the advertising-related modules finish using the network, the networking unit continues draining power for about seven seconds. The tails are a phenomenon of several smartphone hardware components, including 3G, or third-generation wireless systems, GPS and Wi-Fi, not flaws within the app software itself. However, software developers could sidestep the problem by modifying apps to minimize the effect of tails," Hu said.
....
Today, energy is the single most important factor plaguing smartphones. Modern smartphones come with faster processors, latest sensors, incredible screen resolutions, faster network connectivity, and as such these factors together contribute to the ability of the smartphone to consume energy at much faster rate than the ability to produce/store energy, i.e., the battery capacity. For example, the CPU performance over the last 15 years has grown by 246 times while the battery energy density has only doubled during the same period," wrote Abhinav Pathak, a Purdue doctoral student who was part of the research team.
http://www.cio.com/article/703714/Free_Apps_Kill_Smartphone_Battery_Life?page=1&taxonomyId=3067
Network World — Those free apps like Angry Birds, Instagram and Tiny Wings may be loads of fun, but they suck the battery life out of your smartphone by tracking your geographical location, sending information about you to advertisers and downloading ads.
....
The researchers findings show that 65% to 75% of the energy used to run free apps is spent for advertising-related functions. The free Angry Birds app, for example, was shown to consume about 75% of its power running "advertisement modules" in the software code and only about 25% for actually playing the game. The modules perform marketing functions such as sharing user information and downloading ads, according to the researchers.
....
"A particular source of power inefficiency is a phenomenon called 'tails.' In principle, after an application sends information to the Internet, the 'networking unit' that allows the phone to connect to the Internet should go to a lower power state within a fraction of a second. However, researchers found that after the advertising-related modules finish using the network, the networking unit continues draining power for about seven seconds. The tails are a phenomenon of several smartphone hardware components, including 3G, or third-generation wireless systems, GPS and Wi-Fi, not flaws within the app software itself. However, software developers could sidestep the problem by modifying apps to minimize the effect of tails," Hu said.
....
Today, energy is the single most important factor plaguing smartphones. Modern smartphones come with faster processors, latest sensors, incredible screen resolutions, faster network connectivity, and as such these factors together contribute to the ability of the smartphone to consume energy at much faster rate than the ability to produce/store energy, i.e., the battery capacity. For example, the CPU performance over the last 15 years has grown by 246 times while the battery energy density has only doubled during the same period," wrote Abhinav Pathak, a Purdue doctoral student who was part of the research team.
....
Friday, March 30, 2012
The Supreme Health Care Debate
I am going to do something here that I normally prefer not to do publicly, dive into a heated political debate. Actually I am using a Washington Post editorial to do the talking because is comes closest to how I feel about this issue. With that said, here are the excerpts that I believe best summarize the key issues. ..... Thomas
The Supreme Health Care Debate ( my title .... Thomas )
via The Washington Post, Editorial
http://www.washingtonpost.com/opinions/the-supreme-courts-civics-lesson/2012/03/29/gIQASfdZjS_story.html?wpisrc=nl_cuzheads
Civics lessons from the Supreme Court ( their title, my bolds )
By Editorial Board, Published: March 29
"...the Supreme Court this week ... treated to a challenging civics lesson on federalism, liberty and the limits and potential of government authority. Three points in particular struck us.
....
[ first ]...We share in the disappointment that the justices on both sides of their ideological divide are, for the most part, so predictable. That’s not, in the ideal world, how judging is supposed to work. But we also think there’s a kind of cynicism, or at least intellectual laziness, in asserting that this is an easy or obvious call — that no justice could possibly strike down the mandate out of honest, reasoned conviction. ...it’s not an easy question.
....
...The health-care market is different from all others because virtually everyone, like it or not, will become entangled in it. ...The government, already deeply involved in regulating the health-care market, has a legitimate interest in encouraging you to prepare for such an eventuality.
....
second point — the idea that no American should go without health care, and that society as a whole should be willing to pitch in toward that end, strikes us as much more of a slam-dunk.
....
...Congress could have created a system of incentives to draw in young, healthy people. Or it could have enacted a broadly based tax to pay for the health care it wants to subsidize.
It didn’t — and this brings us to the third point — for a couple of reasons. One was that reform advocates didn’t seriously entertain the constitutional vulnerability of the mandate. But the bigger reason is a more familiar one in Washington these days: None of the politicians wanted to acknowledge the costs.
....
But you can’t get something for nothing, not even something as noble as universal health-care coverage."
The Supreme Health Care Debate ( my title .... Thomas )
via The Washington Post, Editorial
http://www.washingtonpost.com/opinions/the-supreme-courts-civics-lesson/2012/03/29/gIQASfdZjS_story.html?wpisrc=nl_cuzheads
Civics lessons from the Supreme Court ( their title, my bolds )
By Editorial Board, Published: March 29
"...the Supreme Court this week ... treated to a challenging civics lesson on federalism, liberty and the limits and potential of government authority. Three points in particular struck us.
....
[ first ]...We share in the disappointment that the justices on both sides of their ideological divide are, for the most part, so predictable. That’s not, in the ideal world, how judging is supposed to work. But we also think there’s a kind of cynicism, or at least intellectual laziness, in asserting that this is an easy or obvious call — that no justice could possibly strike down the mandate out of honest, reasoned conviction. ...it’s not an easy question.
....
...The health-care market is different from all others because virtually everyone, like it or not, will become entangled in it. ...The government, already deeply involved in regulating the health-care market, has a legitimate interest in encouraging you to prepare for such an eventuality.
....
second point — the idea that no American should go without health care, and that society as a whole should be willing to pitch in toward that end, strikes us as much more of a slam-dunk.
....
...Congress could have created a system of incentives to draw in young, healthy people. Or it could have enacted a broadly based tax to pay for the health care it wants to subsidize.
It didn’t — and this brings us to the third point — for a couple of reasons. One was that reform advocates didn’t seriously entertain the constitutional vulnerability of the mandate. But the bigger reason is a more familiar one in Washington these days: None of the politicians wanted to acknowledge the costs.
....
But you can’t get something for nothing, not even something as noble as universal health-care coverage."
Many people are saying this is win or lose. I disagree. What we have done is put the issue on the table. All parties, political, individual and financial, have been served notice that something must be done about the issue before it devours us all. .... Thomas
Thursday, March 29, 2012
Is That Healthcare Website Making You Sick?
Is That Healthcare Website Making You Sick?
http://www.informationweek.com/news/galleries/healthcare/patient/232700416?pgno=1
A good slide show article to show what a good health related web site should do to substantiate itself and a couple of corroborating sites to verify. .... Thomas
National Center for Complementary and Alternative Medicine
http://nccam.nih.gov/
The fact that alternative medicine websites vary in quality shouldn't discourage you from investigating the field of CAM (complementary alternative medicine). The National Center for Complementary and Alternative Medicine (NCCAM) takes a balanced, objective approach to the subject, posting both positive and negative reports on herb therapy, nutritional supplements, and a variety of other natural remedies.
What separates this site from less credible ones is the quality of the evidence. The website recently reported on a study that found meditation done over an 8-week period reduces the severity of irritable bowel syndrome symptoms in women. This study, for instance, was carefully controlled to rule out other contributing factors that may have influenced symptoms, and it was published in a respected medical journal--The American Journal of Gastroenterology--which means it first had to go through a review by skeptical scientists who would have rejected it if it hadn't met high standards.
WebMD
http://www.webmd.com/
Contrast Sensa's discussion about weight loss to WebMD's balanced approach. The article on weight-loss supplements pictured above presents the pros and cons in plain English so you can make an informed decision.
For instance, here's an excerpt from the site's discussion of green tea: "Although [the nutritionist Toby] Smithson cautions that there are not enough human studies to prove the effectiveness of green tea extract as a weight-loss supplement, she tells WebMD '...there is some thought that regular consumption may promote weight loss by adjusting resting energy usage and increasing the use of energy.' "
The language here is optimistic but cautious. It suggests that some experiments might support the use of green tea for weight loss, but it's also clear that there's not enough human data to prove its effectiveness.
It's also important to understand the difference between animal versus human research. As you look through health-related web sites, you'll likely find many claims of product success based on "solid scientific evidence published in respected journals." But often the research has been done using only mice. That's hardly proof that the same results will occur in people.
WebMD also earns points for including a list of sources at the end of the article, so users can do their own research on the credibility of the reports cited.
ConsumerLab.com
http://www.consumerlab.com/
The web is full of articles about the benefits of nutritional supplements, and there's good research to suggest some of these supplements can in fact help prevent and treat certain diseases. But many consumers wonder about the quality of the specific brands that they see in the supermarket or online. Does that tablet actually contain 500 mg of vitamin E as listed on the label? Are there any unsafe contaminants in that calcium pill? At least one website can help answer these questions.
ConsumerLab.com does disintegration analysis on numerous products to determine whether they actually dissolve once they enter a person's digestive system or pass through whole. It also contracts with independent laboratories that perform a variety of other tests to verify that the dosage on the label is accurate, for instance, or to check for lead contamination.
One recent analysis of Omega-3 fatty acid supplements reported on the site found quality problems with 7 out of 24 products. Problems included a product with less Omega-3 fatty acids than cited on the label, a children's fish oil formula that was spoiled when purchased, and an enteric-coated fish oil soft-gel that released its oil too early. (Enteric coating prevents a capsule from breaking down until it reaches the small intestine.)
ClinicalTrials.gov
http://clinicaltrials.gov/
Most physicians are much too busy to keep up with all the latest medical research and innovations, and even their online reference tools can sometimes be outdated or too narrowly focused to cover every patient's unique situation. Unfortunately, some clinicians can also be quick to dismiss potentially helpful therapies that are unfamiliar. If your doctor has exhausted all treatment options and you're still suffering, perhaps it's time to think about looking for a clinical trial.
The federal government keeps an online database called clinicaltrials.gov, which lists federally and privately supported clinical trials conducted in the United States and around the world. It provides information about each trial, including its purpose, who may participate, locations, and phone numbers for more details. The site, however, also cautions: "This information should be used in conjunction with advice from health care professionals."
A search for trials for patients suffering from fibromyalgia--a mysterious disorder that causes musculoskeletal pain, fatigue, and localized tenderness--revealed several studies testing the value of acupuncture, and another study examining whether vaccinations play a role.
Medical Library Association
http://caphis.mlanet.org/consumer/
Evaluating medical websites can be a full-time occupation. Fortunately, there are information professionals who are up to the task. CAPHIS, the Consumer and Patient Health Information Section of the Medical Library Association, puts out a useful list of trustworthy health websites and categorizes them by specialty, including women's and men's health, parenting and kids, drug information, and senior health.
Health on the Net Foundation
http://www.hon.ch/HONcode/Conduct.html
The Health on the Net Foundation outlines 8 attributes that a health-related website should include to be considered trustworthy. Sites that follow this "code of honor" can qualify for the foundation's seal of approval, indicated by the HONcode icon on certified sites.
To qualify, a website must be authoritative and maintain complementarity, which means the information should support and not replace the relationship you have with your doctor. The site should also provide attributions for the statements it posts. A page on the site puts it this way: "Where appropriate, information contained on this site will be supported by clear references to source data and, where possible, have specific HTML links to that data. The date when a clinical page was last modified will be clearly displayed..."
Other criteria to earn the HONcode icon: financial disclosures should be provided to identify any funding sources; advertising and editorial content should be separate and clearly marked. And perhaps the most important requirement is something the foundation calls justifiability: "Any claims relating to the benefits/performance of a specific treatment, commercial product, or service will be supported by appropriate, balanced evidence..."
http://www.informationweek.com/news/galleries/healthcare/patient/232700416?pgno=1
A good slide show article to show what a good health related web site should do to substantiate itself and a couple of corroborating sites to verify. .... Thomas
National Center for Complementary and Alternative Medicine
http://nccam.nih.gov/
The fact that alternative medicine websites vary in quality shouldn't discourage you from investigating the field of CAM (complementary alternative medicine). The National Center for Complementary and Alternative Medicine (NCCAM) takes a balanced, objective approach to the subject, posting both positive and negative reports on herb therapy, nutritional supplements, and a variety of other natural remedies.
What separates this site from less credible ones is the quality of the evidence. The website recently reported on a study that found meditation done over an 8-week period reduces the severity of irritable bowel syndrome symptoms in women. This study, for instance, was carefully controlled to rule out other contributing factors that may have influenced symptoms, and it was published in a respected medical journal--The American Journal of Gastroenterology--which means it first had to go through a review by skeptical scientists who would have rejected it if it hadn't met high standards.
WebMD
http://www.webmd.com/
Contrast Sensa's discussion about weight loss to WebMD's balanced approach. The article on weight-loss supplements pictured above presents the pros and cons in plain English so you can make an informed decision.
For instance, here's an excerpt from the site's discussion of green tea: "Although [the nutritionist Toby] Smithson cautions that there are not enough human studies to prove the effectiveness of green tea extract as a weight-loss supplement, she tells WebMD '...there is some thought that regular consumption may promote weight loss by adjusting resting energy usage and increasing the use of energy.' "
The language here is optimistic but cautious. It suggests that some experiments might support the use of green tea for weight loss, but it's also clear that there's not enough human data to prove its effectiveness.
It's also important to understand the difference between animal versus human research. As you look through health-related web sites, you'll likely find many claims of product success based on "solid scientific evidence published in respected journals." But often the research has been done using only mice. That's hardly proof that the same results will occur in people.
WebMD also earns points for including a list of sources at the end of the article, so users can do their own research on the credibility of the reports cited.
ConsumerLab.com
http://www.consumerlab.com/
The web is full of articles about the benefits of nutritional supplements, and there's good research to suggest some of these supplements can in fact help prevent and treat certain diseases. But many consumers wonder about the quality of the specific brands that they see in the supermarket or online. Does that tablet actually contain 500 mg of vitamin E as listed on the label? Are there any unsafe contaminants in that calcium pill? At least one website can help answer these questions.
ConsumerLab.com does disintegration analysis on numerous products to determine whether they actually dissolve once they enter a person's digestive system or pass through whole. It also contracts with independent laboratories that perform a variety of other tests to verify that the dosage on the label is accurate, for instance, or to check for lead contamination.
One recent analysis of Omega-3 fatty acid supplements reported on the site found quality problems with 7 out of 24 products. Problems included a product with less Omega-3 fatty acids than cited on the label, a children's fish oil formula that was spoiled when purchased, and an enteric-coated fish oil soft-gel that released its oil too early. (Enteric coating prevents a capsule from breaking down until it reaches the small intestine.)
ClinicalTrials.gov
http://clinicaltrials.gov/
Most physicians are much too busy to keep up with all the latest medical research and innovations, and even their online reference tools can sometimes be outdated or too narrowly focused to cover every patient's unique situation. Unfortunately, some clinicians can also be quick to dismiss potentially helpful therapies that are unfamiliar. If your doctor has exhausted all treatment options and you're still suffering, perhaps it's time to think about looking for a clinical trial.
The federal government keeps an online database called clinicaltrials.gov, which lists federally and privately supported clinical trials conducted in the United States and around the world. It provides information about each trial, including its purpose, who may participate, locations, and phone numbers for more details. The site, however, also cautions: "This information should be used in conjunction with advice from health care professionals."
A search for trials for patients suffering from fibromyalgia--a mysterious disorder that causes musculoskeletal pain, fatigue, and localized tenderness--revealed several studies testing the value of acupuncture, and another study examining whether vaccinations play a role.
Medical Library Association
http://caphis.mlanet.org/consumer/
Evaluating medical websites can be a full-time occupation. Fortunately, there are information professionals who are up to the task. CAPHIS, the Consumer and Patient Health Information Section of the Medical Library Association, puts out a useful list of trustworthy health websites and categorizes them by specialty, including women's and men's health, parenting and kids, drug information, and senior health.
Health on the Net Foundation
http://www.hon.ch/HONcode/Conduct.html
The Health on the Net Foundation outlines 8 attributes that a health-related website should include to be considered trustworthy. Sites that follow this "code of honor" can qualify for the foundation's seal of approval, indicated by the HONcode icon on certified sites.
To qualify, a website must be authoritative and maintain complementarity, which means the information should support and not replace the relationship you have with your doctor. The site should also provide attributions for the statements it posts. A page on the site puts it this way: "Where appropriate, information contained on this site will be supported by clear references to source data and, where possible, have specific HTML links to that data. The date when a clinical page was last modified will be clearly displayed..."
Other criteria to earn the HONcode icon: financial disclosures should be provided to identify any funding sources; advertising and editorial content should be separate and clearly marked. And perhaps the most important requirement is something the foundation calls justifiability: "Any claims relating to the benefits/performance of a specific treatment, commercial product, or service will be supported by appropriate, balanced evidence..."
Tuesday, March 27, 2012
Why Hackers Set Their Sights on Small Businesses
Why Hackers Set Their Sights on Small Businesses
CSO Security and Risk Online, March 22, 2012
http://www.csoonline.com/article/print/702672
....
"SMBs [ Small and Medium Businesses ]don't know how defenseless they've become, especially to automated and industrialized attack methodologies by organized crime," Christopher Porter tells PCWorld. Porter, a principal with the Verizon RISK Team, is the author of a new report from Verizon on security risk.
....
"[Hackers] scan the Internet, looking for remote access services, and then try the default credentials. Once they gain access, they automatically install keyloggers to collect password information [as it's typed in],..."
"...they'll target point-of-sale systems [ POS ], as four Romanians did recently. "That kind of attack is increasing, because they're low-risk and low-cost attacks for organized crime."
....
But if small businesses are increasingly vulnerable, Porter characterized the tactics they should employ in response as "quite simple.
If you have a point-of-sale system, make sure to change the password from the default it came with. It shouldn't be microsmicros or alohaaloha," citing two common POS systems. "The problem is that when small businesses think about their POS system, they worry about whether it's going to be available when they sell the shirt or charge for the burger," Porter says. "They're not worried about confidentiality. They're worried about margins."
Verizon's Fifth Annual Data Breach Report
The fifth-annual Verizon 2012 Data Breach Investigations Report, produced in conjunction with the United States Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting & Information Security Service, and the London Metropolitan Police's cybercrime unit, reveals seventy-nine percent of attacks represented in the report were opportunistic.
Of all the attacks the report studied, it found 96 percent were not difficult to achieve and 97 percent were avoidable, "without the need for organizations to resort to difficult or expensive countermeasures."
What does the Verizon report recommend small businesses do? The report cites three simple things:
In addition, Porter recommends some other simple steps:
Porter stresses that, in most cases, these infiltrations are targets of opportunity. If small business follows the simple procedures outlined, they're less likely to be targeted. "The criminals will pass right by you."
---------------------------------------------------------
Also, in a related article:
http://www.csoonline.com/article/print/702667
...hackers used relatively simple methods in more than 90% of data breaches in 2011...
...in a vast majority of attacks (80%), hackers hit victims of opportunity rather than companies they sought out. ...
....
...based on the investigations into more than 850 data breaches. ...
....
Data breach victims and security vendors generally tend to describe attacks as highly sophisticated and involving a great deal of expertise on the part of hackers.
The Verizon report though shows a far more mundane reality.
....
Very often, the companies breached had no firewalls, had ports open to the Internet or used default or easily guessable passwords, said Marc Spitler a Verizon security analyst.
....
-----------------------------------------------------------------
I could add some smart comment here but it would just be redundant of what the article states. Ok, I will say it anyway. Simple steps will go a long way. Now that we are on the Internet, the bad guys have 24/7/365 to get in. Be aware, do something. .....Thomas
CSO Security and Risk Online, March 22, 2012
http://www.csoonline.com/article/print/702672
....
"SMBs [ Small and Medium Businesses ]don't know how defenseless they've become, especially to automated and industrialized attack methodologies by organized crime," Christopher Porter tells PCWorld. Porter, a principal with the Verizon RISK Team, is the author of a new report from Verizon on security risk.
....
"[Hackers] scan the Internet, looking for remote access services, and then try the default credentials. Once they gain access, they automatically install keyloggers to collect password information [as it's typed in],..."
"...they'll target point-of-sale systems [ POS ], as four Romanians did recently. "That kind of attack is increasing, because they're low-risk and low-cost attacks for organized crime."
....
But if small businesses are increasingly vulnerable, Porter characterized the tactics they should employ in response as "quite simple.
If you have a point-of-sale system, make sure to change the password from the default it came with. It shouldn't be microsmicros or alohaaloha," citing two common POS systems. "The problem is that when small businesses think about their POS system, they worry about whether it's going to be available when they sell the shirt or charge for the burger," Porter says. "They're not worried about confidentiality. They're worried about margins."
Verizon's Fifth Annual Data Breach Report
The fifth-annual Verizon 2012 Data Breach Investigations Report, produced in conjunction with the United States Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting & Information Security Service, and the London Metropolitan Police's cybercrime unit, reveals seventy-nine percent of attacks represented in the report were opportunistic.
Of all the attacks the report studied, it found 96 percent were not difficult to achieve and 97 percent were avoidable, "without the need for organizations to resort to difficult or expensive countermeasures."
What does the Verizon report recommend small businesses do? The report cites three simple things:
- Use a firewall. Install and maintain a firewall on Internet-facing services to protect data. Hackers cannot steal what they cannot reach.
- Change default credentials. Point-of-sale (POS) and other systems come with pre-set credentials. Change the credentials to prevent unauthorized access.
- Monitor third parties. Third parties often manage firewalls and POS systems. Organizations should monitor these vendors to ensure they have implemented the above security recommendations, where applicable.
In addition, Porter recommends some other simple steps:
- Educate your staff, especially in regard to social phishing. "Set up policies, and then make sure they're being followed. The weakest link in security will always be the carbon-based life form."
- Follow through on what you've bought. "Businesses spend a lot of money on security technology, but then they don't configure them properly, or ignore the reports. A well-tuned intrusion detection system that's tailored to your environment is a powerful tool for finding hacking incidents on the network."
- Think about security frequently, not just when you're being audited. "Check the logs of your Windows OS system, your POS system, and your security software." If that represents too big a time commitment, then hire someone to do it. Don't ignore them.
Porter stresses that, in most cases, these infiltrations are targets of opportunity. If small business follows the simple procedures outlined, they're less likely to be targeted. "The criminals will pass right by you."
---------------------------------------------------------
Also, in a related article:
http://www.csoonline.com/article/print/702667
...hackers used relatively simple methods in more than 90% of data breaches in 2011...
...in a vast majority of attacks (80%), hackers hit victims of opportunity rather than companies they sought out. ...
....
...based on the investigations into more than 850 data breaches. ...
....
Data breach victims and security vendors generally tend to describe attacks as highly sophisticated and involving a great deal of expertise on the part of hackers.
The Verizon report though shows a far more mundane reality.
....
Very often, the companies breached had no firewalls, had ports open to the Internet or used default or easily guessable passwords, said Marc Spitler a Verizon security analyst.
....
-----------------------------------------------------------------
I could add some smart comment here but it would just be redundant of what the article states. Ok, I will say it anyway. Simple steps will go a long way. Now that we are on the Internet, the bad guys have 24/7/365 to get in. Be aware, do something. .....Thomas
Monday, March 12, 2012
Ransomware Spreading into U.S.....
Via http://www.csoonline.com/article/701938/ransom-trojans-spreading-beyond-russian-heartland?source=CSONLE_nlt_techwatch_2012-03-12
Ransom Trojans spreading beyond Russian heartland
....
Ransomware is really the ultimate form of social engineering malware in that people are invited to agree to defraud themselves. The trick is to get people to believe there is no alternative to agreeing to their malware's terms.
After existing at very low levels for years, ransom attacks suddenly started to spike in mid-2010, examples of which include an attack in which Windows users were accused of running a counterfeit version of the OS and asked for a $143 (APS91) payment.
Trend itself reported on a worm that used the more common tactic of locking the PCs of victims (the exact method varies in severity from example to example but is often relatively trivial), demanding a small payment to have control returned.
Closer to home, a ransom Trojan affecting UK users impersonated the Metropolitan Police in order to persuade users that porn had been detected on their computers, requiring a payment to be made. Versions of this scam have appeared in almost every European country.
Trend comes up with two explanations for the form's growing popularity among criminals, the biggest of which is the recent disruption of the industry behind fake antivirus scams. This has sent developers to new types of attack that can make use of payment channels less dependant on credit cards, which create an evidence trail.
"Ukash and Paysafecard are widely used online payment methods that do not require personal details. Such level of anonymity has naturally earned the attention of cybercriminals and, as we can see, is now being abused for the ransomware business," said Trend threat engineer, Roland Dela Paz.
---------------------------
Ukash and Paysafecard are of European origin. What will the use in the States ? Paypal ?
Don't trust your e-mail. Thomas
Ransom Trojans spreading beyond Russian heartland
....
Ransomware is really the ultimate form of social engineering malware in that people are invited to agree to defraud themselves. The trick is to get people to believe there is no alternative to agreeing to their malware's terms.
After existing at very low levels for years, ransom attacks suddenly started to spike in mid-2010, examples of which include an attack in which Windows users were accused of running a counterfeit version of the OS and asked for a $143 (APS91) payment.
Trend itself reported on a worm that used the more common tactic of locking the PCs of victims (the exact method varies in severity from example to example but is often relatively trivial), demanding a small payment to have control returned.
Closer to home, a ransom Trojan affecting UK users impersonated the Metropolitan Police in order to persuade users that porn had been detected on their computers, requiring a payment to be made. Versions of this scam have appeared in almost every European country.
Trend comes up with two explanations for the form's growing popularity among criminals, the biggest of which is the recent disruption of the industry behind fake antivirus scams. This has sent developers to new types of attack that can make use of payment channels less dependant on credit cards, which create an evidence trail.
"Ukash and Paysafecard are widely used online payment methods that do not require personal details. Such level of anonymity has naturally earned the attention of cybercriminals and, as we can see, is now being abused for the ransomware business," said Trend threat engineer, Roland Dela Paz.
---------------------------
Ukash and Paysafecard are of European origin. What will the use in the States ? Paypal ?
Don't trust your e-mail. Thomas
Friday, March 9, 2012
The Faux 4G Debate, Enhanced
Well, it looks like I am going to have to backtrack on my tirade on the cell carriers "claiming" to have 4G service. In my defense, they are playing "Calvin ball" with the technology. They changed the rules in the middle of the game. ...... Thomas
Via The Washington Post, Business & Technology.
....
But many people may not know that the iPhone 4S is capable of running on AT&T’s HSPA+ network — a technology that AT&T and T-Mobile both use to advertise their “4G” devices. HSPA+ is essentially 3G technology that’s been enhanced to run speeds close to those of 4G networks, but still runs slower than either LTE or WiMax.
The new label likely raised questions for AT&T customers who were affected by the carrier’s latest tweaks to its unlimited plan. The changes stipulate that 4G LTE customers will have their data speeds slowed down after they hit a 5 GB limit for the month; all other customers will see slower speeds after 3 GB per month.
AT&T spokesman Mark Siegel confirmed in an e-mail that the iPhone 4S falls into the second category.
There’s actually a lot of debate as to what, exactly constitutes 4G since the International Telecommunications Union relaxed its definition in Dec. 2010. Before then, none of the technologies in the United States — LTE, WiMax or HSPA+ — were considered fourth-generation cell networks. Now, they are.
Via The Washington Post, Business & Technology.
....
But many people may not know that the iPhone 4S is capable of running on AT&T’s HSPA+ network — a technology that AT&T and T-Mobile both use to advertise their “4G” devices. HSPA+ is essentially 3G technology that’s been enhanced to run speeds close to those of 4G networks, but still runs slower than either LTE or WiMax.
The new label likely raised questions for AT&T customers who were affected by the carrier’s latest tweaks to its unlimited plan. The changes stipulate that 4G LTE customers will have their data speeds slowed down after they hit a 5 GB limit for the month; all other customers will see slower speeds after 3 GB per month.
AT&T spokesman Mark Siegel confirmed in an e-mail that the iPhone 4S falls into the second category.
There’s actually a lot of debate as to what, exactly constitutes 4G since the International Telecommunications Union relaxed its definition in Dec. 2010. Before then, none of the technologies in the United States — LTE, WiMax or HSPA+ — were considered fourth-generation cell networks. Now, they are.
DNS Changer Virus info.....
Run "ipconfig /all" in a DOS or CMD window, look at the IP on the DNS lines. You can have two or more DNS IPs listed.
If any have the IPs listed below, you have been infected with the DNS Changer Virus. The FBI and European law enforcement agencies will be shuting the bad DNS servers down on July 8th of 2012. If you have been infected, you will no longer be able to browse the internet or use your e-mail.
The odds are you haven't been infected. It only takes a minute to see and resolve the problem. The site at the bottom of this post has a download tool to remove the virus and fix your DNS IPs.
Thomas
----------------------------------------------
Are you safe?
http://dcwg.org/checkup.html
If your computers' DNS settings use the follow ranges, then you likely have been affected by the DNS Changer viruses.
Between this IP-----and this IP
77.67.83.1----------77.67.83.254
85.255.112.1--------85.255.127.254
67.210.0.1----------67.210.15.254
93.188.160.1--------93.188.167.254
213.109.64.1--------213.109.79.254
64.28.176.1---------64.28.191.254
------------------------------------------------
Tool available for those affected by the DNS-Changer
http://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1199
The malware family of the DNS-changer manipulates the Windows network settings.
The DNS server entries are changed on the respective network adapter to achieve this. In the event of an infection, this will divert requests from web sites to malicious sites that are maintained by criminals.
The operators of those DNS servers have been arrested in November 2011 by the FBI and European law enforcement authorities. Additionally, the servers have been replaced with correctly working DNS-servers.
However, those servers will be shut down as of March 8th, 2012. [ Changed to July 8, 2012 recently.... 3/9/2012 TH ]
Computers that have been affected and did not apply the recommended changes within the settings, will not able to use the internet anymore, since the users are unable to dissolve domain names now without having access to the DNS.
Avira provides a tool for this purpose that will reset the entries to Windows standard.
Note:
The tool doesn't send any data through the internet. An installation of the tool is not required.
However, a restart of Windows will be necessary after the execution of the tool and a successful repair.
Download Avira DNS Repair-Tool
http://www.avira.com/files/support/FAQ_KB_Download_Files/EN/AviraDNSRepairEN.exe
If any have the IPs listed below, you have been infected with the DNS Changer Virus. The FBI and European law enforcement agencies will be shuting the bad DNS servers down on July 8th of 2012. If you have been infected, you will no longer be able to browse the internet or use your e-mail.
The odds are you haven't been infected. It only takes a minute to see and resolve the problem. The site at the bottom of this post has a download tool to remove the virus and fix your DNS IPs.
Thomas
----------------------------------------------
Are you safe?
http://dcwg.org/checkup.html
If your computers' DNS settings use the follow ranges, then you likely have been affected by the DNS Changer viruses.
Between this IP-----and this IP
77.67.83.1----------77.67.83.254
85.255.112.1--------85.255.127.254
67.210.0.1----------67.210.15.254
93.188.160.1--------93.188.167.254
213.109.64.1--------213.109.79.254
64.28.176.1---------64.28.191.254
------------------------------------------------
Tool available for those affected by the DNS-Changer
http://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1199
The malware family of the DNS-changer manipulates the Windows network settings.
The DNS server entries are changed on the respective network adapter to achieve this. In the event of an infection, this will divert requests from web sites to malicious sites that are maintained by criminals.
The operators of those DNS servers have been arrested in November 2011 by the FBI and European law enforcement authorities. Additionally, the servers have been replaced with correctly working DNS-servers.
However, those servers will be shut down as of March 8th, 2012. [ Changed to July 8, 2012 recently.... 3/9/2012 TH ]
Computers that have been affected and did not apply the recommended changes within the settings, will not able to use the internet anymore, since the users are unable to dissolve domain names now without having access to the DNS.
Avira provides a tool for this purpose that will reset the entries to Windows standard.
Note:
The tool doesn't send any data through the internet. An installation of the tool is not required.
However, a restart of Windows will be necessary after the execution of the tool and a successful repair.
Download Avira DNS Repair-Tool
http://www.avira.com/files/support/FAQ_KB_Download_Files/EN/AviraDNSRepairEN.exe
Wednesday, March 7, 2012
"Google should not be your top privacy worry...."
From InformationWeek Security commentary online, a discussion of real privacy concerns....Thomas:
http://www.informationweek.com/news/security/privacy/232601954?cid=nl_IW_daily_2012-03-05_html&elq=4d42c17caeeb43daa3978f79d6ed1541
The outcry is both appropriate and ridiculous.
The author, Thomas Claburn, also states:
"That doesn't mean privacy isn't worthwhile. It's just complicated. We should expect and demand that companies are straightforward about how they're using information. Here Google and other businesses need to do more, to be more specific about how they leverage data. ...."
One of my favorite new TV shows is "Person of Interest", which could have a sub-title of "Big Data in Action". It is about a computer system that analyzes information about us and determines when some one is in trouble. The sources of information about us are almost limitless. Who or what has access to it and how they use it will always merit watching. Do you have an FBI file ?
http://www.informationweek.com/news/security/privacy/232601954?cid=nl_IW_daily_2012-03-05_html&elq=4d42c17caeeb43daa3978f79d6ed1541
The outcry is both appropriate and ridiculous.
Worries about online privacy are appropriate because online privacy is terrible. Remember Facebook's Beacon ad targeting system, which caused similar controversy in 2007? Well, read Google's new privacy policy, the part about pixel tags.
Google explains, "A pixel tag is a type of technology placed on a website or within the body of an email for the purpose of tracking activity on websites, or when emails are opened or accessed, and is often used in combination with cookies."
That's basically what Facebook's Beacon system did. But it's not just Google doing this, it's pretty much every online ad company and major Internet service."
....
"...worries about online privacy are ridiculous because we don't really want privacy. We want to feel like we're in control, whether or not we are or can be. We want a property right in the information we generate and passively express. You'd better hope that we never get that far because there won't be any information economy after that.
....
"...worries about online privacy are ridiculous because we don't really want privacy. We want to feel like we're in control, whether or not we are or can be. We want a property right in the information we generate and passively express. You'd better hope that we never get that far because there won't be any information economy after that.
Privacy doesn't sell, at least beyond those in the market for tin foil hats."
....
"Though Google consolidated its privacy policies to allow it to generate more ad revenue by delivering more relevant ads, it also is offering what it believes is a better experience. So before you take up arms against Google, which is mainly trying to make enough money to pay for all those videos you're uploading and watching on YouTube,
here, in no particular order, are a few privacy violators to worry about."
....
"Though Google consolidated its privacy policies to allow it to generate more ad revenue by delivering more relevant ads, it also is offering what it believes is a better experience. So before you take up arms against Google, which is mainly trying to make enough money to pay for all those videos you're uploading and watching on YouTube,
here, in no particular order, are a few privacy violators to worry about."
"
1. Shoulder surfers 2. Hackers 3. Other people 4. Governments 5. Credit bureaus 6. Information vendors 7. Your employer 8. You
"
....
"The list could go on. Insurers, retailers, ISPs, developers, telecom companies, electric utilities, grocery stores, and anyone rifling through your garbage might know more about you than you realize. Frankly, if Google's tracking is your major concern, you probably have very little to worry about."
....
"Trust as much as you have to, verify what you care about, block where necessary, and try to find your own personal comfort zone in the information economy."
1. Shoulder surfers 2. Hackers 3. Other people 4. Governments 5. Credit bureaus 6. Information vendors 7. Your employer 8. You
"
....
"The list could go on. Insurers, retailers, ISPs, developers, telecom companies, electric utilities, grocery stores, and anyone rifling through your garbage might know more about you than you realize. Frankly, if Google's tracking is your major concern, you probably have very little to worry about."
....
"Trust as much as you have to, verify what you care about, block where necessary, and try to find your own personal comfort zone in the information economy."
--------------------------------------------------- Me: ----------------------------------------------------------
The bottom line is how do we pay for a "free", as in $ not freedom, Internet ? I, for one would rather have targeted marketing so the ads are relevant to me. When you use store cards for discounts you are being paid for information about you so the store may better target your buying preferences. Is that bad ?
There is a story that a national store, with the information gleaned from their store cards, sent a young lady ads on pregnancy products through the USPS mail. When the parents saw the ads they were furious that the store was promoting unacceptable sexual conduct for their teenage daughter. Turns out the teenager was already pregnant and buying auxiliary products to take care of herself. The story goes that the store now mixes in unrelated products with the targeted products; kind of backing out of the original goal of targeted marketing. The moral being that we are all learning this new, more open environment and how to manage it.
The bottom line is how do we pay for a "free", as in $ not freedom, Internet ? I, for one would rather have targeted marketing so the ads are relevant to me. When you use store cards for discounts you are being paid for information about you so the store may better target your buying preferences. Is that bad ?
There is a story that a national store, with the information gleaned from their store cards, sent a young lady ads on pregnancy products through the USPS mail. When the parents saw the ads they were furious that the store was promoting unacceptable sexual conduct for their teenage daughter. Turns out the teenager was already pregnant and buying auxiliary products to take care of herself. The story goes that the store now mixes in unrelated products with the targeted products; kind of backing out of the original goal of targeted marketing. The moral being that we are all learning this new, more open environment and how to manage it.
The author, Thomas Claburn, also states:
"That doesn't mean privacy isn't worthwhile. It's just complicated. We should expect and demand that companies are straightforward about how they're using information. Here Google and other businesses need to do more, to be more specific about how they leverage data. ...."
One of my favorite new TV shows is "Person of Interest", which could have a sub-title of "Big Data in Action". It is about a computer system that analyzes information about us and determines when some one is in trouble. The sources of information about us are almost limitless. Who or what has access to it and how they use it will always merit watching. Do you have an FBI file ?
Monday, March 5, 2012
Yet another acronym, MOOC, yet really cool.....
Via The New York Times (NYT):
"Massive Open Online Courses — known as MOOCs — a tool for democratizing higher education."
http://www.nytimes.com/2012/03/05/education/moocs-large-courses-open-to-all-topple-campus-walls.html?nl=todaysheadlines&emc=tha26
--------------------------------------------------------
Me:
Several major universities are forging into this amazing future of education. While they are looking for ways to capitalize in it, the courses are free. If you get a certification of completion, you may pay. If a company is looking for certain skills in a certain area, they may need to pay the university for a list of potentials. Great, make the capitalists pay for the availability of the skills they need. Works for me.
I am eyeing the upcoming Computer Security course at Stanford. Don't be looking for intro courses from these providers, but the practice should trickle down over time.
---------------------------------------------------------------
Some of the major universities involved at this early stage:
Stanford:
http://www.cs101-class.org/hub.php
MIT info article:
http://www.wiredacademic.com/2011/12/mit-announces-mitx-expanding-its-opencourseware-project/
Georgia Institute of Technology:
http://gtmooc.com/
“What we found was that in a MOOC, instead of the classroom being the center, it becomes just one node of the network of social interactions.”
"Massive Open Online Courses — known as MOOCs — a tool for democratizing higher education."
http://www.nytimes.com/2012/03/05/education/moocs-large-courses-open-to-all-topple-campus-walls.html?nl=todaysheadlines&emc=tha26
--------------------------------------------------------
Me:
Several major universities are forging into this amazing future of education. While they are looking for ways to capitalize in it, the courses are free. If you get a certification of completion, you may pay. If a company is looking for certain skills in a certain area, they may need to pay the university for a list of potentials. Great, make the capitalists pay for the availability of the skills they need. Works for me.
I am eyeing the upcoming Computer Security course at Stanford. Don't be looking for intro courses from these providers, but the practice should trickle down over time.
---------------------------------------------------------------
Some of the major universities involved at this early stage:
Stanford:
http://www.cs101-class.org/hub.php
MIT info article:
http://www.wiredacademic.com/2011/12/mit-announces-mitx-expanding-its-opencourseware-project/
Georgia Institute of Technology:
http://gtmooc.com/
“What we found was that in a MOOC, instead of the classroom being the center, it becomes just one node of the network of social interactions.”
Sunday, March 4, 2012
How to use images on the web....
Apparently there are best ways to embed images to hold attention. Apparently I didn't know the best practices.
http://blog.kissmetrics.com/shocking-truth-about-graphics/
Summary:
Caption below image,
Story below caption,
Keep left margin straight and stable.
Thanks to Guy Kawasaki on Google+ for the heads up.
Cheers.
http://blog.kissmetrics.com/shocking-truth-about-graphics/
Summary:
Caption below image,
Story below caption,
Keep left margin straight and stable.
Thanks to Guy Kawasaki on Google+ for the heads up.
Cheers.
Amazing story, great photos, missing bugs....
The rock this story occurs on is amazing, jutting out of the South Pacific east of Australia. Talk about some tenacious bugs, how did they survive, and how did they get there ?
http://www.npr.org/blogs/krulwich/2012/02/24/147367644/six-legged-giant-finds-secret-hideaway-hides-for-80-years
Enjoy.
http://www.npr.org/blogs/krulwich/2012/02/24/147367644/six-legged-giant-finds-secret-hideaway-hides-for-80-years
Enjoy.
Greetings....
Bear with me while I learn this environment. I am looking forward to getting my favorite pics and some relevant comments posted. Right now I am playing with the page template....
Subscribe to:
Posts (Atom)